======= Summary ======= Name: Arbitrary kernel mode memory writes in AVG Antivirus Release Date: 10 July 2007 Reference: NGS00500 Discover: Jonathan Lindsay <john-lindsay ngssoftware com> Vendor: Grisoft Vendor Reference: N/A Systems Affected: Windows NT based systems Risk: High Status: Fixed ======== TimeLine ======== Discovered: 13 April 2007 Released: 13 April 2007 Approved: 22 May 2007 Reported: 13 April 2007 Fixed: 9 July 2007 Published: 10 July 2007 =========== Description =========== The AVG Antivirus core kernel mode service driver (avg7core.sys) provides functionality that under a default install allows an unprivileged user to write arbitrary data to arbitrary addresses. This service provides the core detection (and probably disinfection) for the product. This issue has been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The version of avg7core.sys in question is 7.5.0.444. The driver supports two IOCTLs in its generic DeviceIoControl handler. One of these IOCTLs (0x5348E004) is used to get the core driver to perform privileged functions on behalf of the user mode component; 52 different functions are supported, and one of these is designed to copy arbitrary data from addresses taken unchecked from the user mode application. As the kernel mode service is started upon system start (as it is necessary for on-access scanning), and it is accessible as read/write to Everyone, any user can then use this functionality to overwrite arbitrary kernel code or data. ================= Technical Details ================= The AVG Antivirus core kernel mode service driver (avg7core.sys) provides functionality that under a default install allows an unprivileged user to write arbitrary data to arbitrary addresses. This service provides the core detection (and probably disinfection) for the product. This issue has been verified as affecting AVG Free 7.5.446 and AVG Antivirus 7.5.448. The version of avg7core.sys in question is 7.5.0.444. The driver supports two IOCTLs in its generic DeviceIoControl handler. One of these IOCTLs (0x5348E004) is used to get the core driver to perform privileged functions on behalf of the user mode component; 52 different functions are supported, and one of these is designed to copy arbitrary data from addresses taken unchecked from the user mode application. As the kernel mode service is started upon system start (as it is necessary for on-access scanning), and it is acessible as read/write to Everyone, any user can then use this functionality to overwrite arbitrary kernel code or data. The internal function in question is the fifth in the internal switch table and therefore referenced with an index of four. Internal to this function, a parameter specifies the type of copy to be performed. Using a value of five will cause a segment of one buffer to be copied to an arbitrary address. The data structures involved are convoluted, and are unlikely to be discovered by a brute-force attempt to attack the service (such as using a fuzzer); additionally, although a lot of pointers are taken unvalidated from a user mode buffer, the entire dispatch processing function is wrapped in a try/catch block. =============== Fix Information =============== For the request in this case, the buffer contents are validated with respect to their usage before being passed on to the subfunction that implements 52 privileged functions. The particular case used in the POC code results in STATUS_NOT_IMPLEMENTED being returned, before the IRP being completed. This fix has been implemented in AVG 7.5 build 476, core service version 7.5.0.476. The updated versions of AVG Antivirus can be downloaded from: http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=aff http://www.grisoft.com/doc/31/us/crp/0?prd=avw NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070